[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0608301849180.26107@faron.mitre.org>
Date: Wed, 30 Aug 2006 19:12:19 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Carsten Eilers <ceilers-lists@....de>
Cc: "Steven M. Christey" <coley@...re.org>, bugtraq@...urityfocus.com
Subject: Re: JetBox cms (search_function.php) Remote File Include
On Wed, 30 Aug 2006, Carsten Eilers wrote:
> Bad test, I know, but a "quick$dirty" way to look, which
> parts are executed and which not.
Hey, it works :)
> >Notice the "?>" in front of the include statement, which closes off
> >the first bit of executable code.
>
> I'm not sure about the defintion of function-definitions.
> In a normal script it's possible to mix <?...?>-PHP-Code
> and HTML-Code, for example if there are many HTML-tags which
> otherwise hat to be echo'ed in PHP. Is this possible inside
> a function-definition? The PHP-Manual says nothing about
> this (or I did'nt found it :-) ).
Yes, this is possible, now that I've looked more closely.
1) A function definition can cross multiple <?php> tags
2) Because of (1), not every <?php> tag will be 'executed' at the moment
of loading, if it's enclosed within a function definition. The
affected include statement was isolated within its own <?php> tag,
which made it seem like it might execute upon loading.
3) You can have also HTML within that function definition, which will be
printed out when the function is called, not when it is being parsed.
These interesting properties were what confused me.
> >So, this looks like it could be exploitable using a direct request to
> >search_function.php, since at the point of the include, the
> >$relative_script_path variable is *not* initialized.
>
> It someway looks like this, yes.
It looks like this, but the include does fall within the scope of the
function definition, once you merge all the <?php> constructs together.
So, this does not look exploitable.
> But I tend to the conclusion, the whole script is really only
> one function-definition.
I agree.
- Steve
P.S. Here is some demonstration code to highlight some of what I
mentioned here.
=======================================================
... at the beginning of the file ...<br>
... begin definition for abc() - fragment 1 ...<br>
<?php
function abc () {
echo "... executing first statement in abc() ...<br>";
?>
<b>... this HTML is within abc()'s definition and will only be printed
out when abc() is called, not when this file is loaded. Notice how
this HTML appears AFTER the "calling abc()" string in
the web output, but it appears BEFORE that string in the raw
source...<br></b>
... finishing abc() - closing brace - fragment 2 ...<br>
<?php
echo "... executing last statement in abc() ...<br>";
}
?>
... more HTML cruft between php tags ...<br>
<?php echo "... calling abc() ...<br>"; abc(); ?>
... at the end of the file ...<br>
Powered by blists - more mailing lists